You can import a signer certificate, which is also called
a certificate
authority (CA) certificate, from a truststore on a non-z/OS platform
server
to a z/OS® keyring.
Procedure
- On the non-z/OS platform server,
change to the install_root/bin directory
and start the iKeyman utility, which is called ikeyman.bat (Windows®)
or ikeyman.sh (UNIX®). The install_root variable
refers to the installation path for WebSphere® Application
Server.
- Within the iKeyman utility, open
the server truststore. The default
server truststore is called the trust.p12 file. The file
is located
in the $[USER_INSTALL_ROOT}/config/cells/<cell_name>/nodes/<node_name> directory.
The default password is WebAS.
- Extract
the signer certificate from the truststore using the ikeyman utility.
Complete the following steps to extract the signer certificate:
- Select Signer certificates from the
menu.
- Select root from the list.
- Select Extract.
-
Select the correct data type. The signer_certificate can have
either a Base64-encoded ASCII data type or a Binary DER data type.
- Specify the fully qualified path and the file
name of the certificate.
- From
an FTP prompt on the non-z/OS platform server, type ascii to
change the file transfer to ascii mode.
- You
can ftp the certificate to the z/OS platform either as a file
in the Hierarchical File System (HFS) or as an MVS dataset. To ftp
as a dataset:,
from an FTP prompt on the non-z/OS platform server, type put 'signer_certificate'
mvs.dataset. The signer_certificate variable
refers
to the name of the signer certificate on the non-z/OS platform server.
The mvs.dataset variable
is the data set name to which the certificate was exported.
To
ftp as
a file in the HFS from an FTP prompt on the non-z/OS platform server,
type put
'signer_certificate' file_name. The signer_certificate variable
refers to the name of the signer certificate on the non-z/OS platform
server.
The file_name variable is the name of the file in the HFS to
which
the certificate was exported.
The RACDCERT CERTAUTH ADD command
in the next step works with a Multiple Virtual Storage (MVS) data
set only.
You can either turn the certificate file into a binary MVS data set
or use
the put command with an HFS file, and then use the following command
to copy
the file into a MVS data set:
cp -B /u/veser/Cert/W21S01N.p12 "//'VESER.CERT.W21S01N'"
- On the z/OS platform
server, go to option 6 in the Interactive
System Productivity Facility (ISPF) dialog panels and issue the following
commands as a super user to add the signer certificate to the z/OS keyring:
- Type RACDCERT CERTAUTH ADD ('signer_certificate')
WITHLABEL('WebSphere Root Certificate') TRUST . The
WebSphere Root Certificate variable refers to the label name for the
certificate
authority (CA) certificate that you are importing from a non-z/OS
platform
server. The keyring_name variable refers to the name of the z/OS keyring
that is used by the servers in the cell.
- Type RACDCERT
ID(ASCR1) CONNECT(CERTAUTH LABEL('WebSphere
Root Certificate') RING(keyring_name)
- Type RACDCERT ID(DMCR1) CONNECT(CERTAUTH LABEL('WebSphere
Root Certificate') RING(keyring_name)
- Type RACDCERT ID(DMSR1) CONNECT(CERTAUTH LABEL('WebSphere
Root Certificate') RING(keyring_name) In
the previous
commands, ASCR1, DMCR1, and DMSR1 are the RACF® IDs
under
which the started tasks for the cell run in WebSphere Application
Server for z/OS.
The ASCR1 value is the RACF ID
for the application server control
region. The DMCR1 value is the RACF ID
for the deployment manager control
region. The DMSR1 value is the RACF ID
for the deployment manager server
region.
Results
After
completing these steps, the z/OS keyring contains the signer
certificates
that originated on the non-z/OS platform server.
What to do next
To
verify that the certificates were added, use option 6 on the ISPF
dialog panel and type the following command:
RACDCERT ID(CBSYMSR1) LISTRING(keyring_name)
The
CBSYMSR1 value
is the RACF ID
for the application server region.
Note: Although iKeyman is supported
for WebSphere Application
Server Version 6.1, customers are encouraged to use the administrative
console
to export signer certificates.